Tekton Kaniko build - gives push permissions errors

When running a pipeline with a Kaniko build task, I see the following error message:

E0105 13:50:28.345758      19 aws_credentials.go:77] while getting AWS credentials NoCredentialProviders: no valid providers in chain.
Deprecated.
  For verbose messaging see aws.Config.CredentialsChainVerboseErrors
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try
again: checking push permission for
"docker.io/xyz/myimage": POST
https://index.docker.io/v2/xyz/myimage/blobs/uploads/:
UNAUTHORIZED: authentication required; [map[Action:pull Class:
Name:xyz/myimage Type:repository] map[Action:push Class:
Name:xyz/myimage Type:repository]]

First I created a secret by generating a Docker hub access token. The secret is created using this command:

kubectl create secret docker-registry docker-credential
--docker-username=xyz --docker-password=generated-docker-access-token --docker-email=xyz@mail.com --namespace=default

An alternative way is: getting the docker config info:

$ cat ~/.docker/config.json | base64 -w0 

Using this info in a secret:

apiVersion: v1
kind: Secret
metadata:
  name: docker-credential
data:
  .dockerconfigjson: <base-64-encoded-json-here>
type: kubernetes.io/dockerconfigjson

Then I installed the Tekton Kaniko task with:

kubectl apply -f https://api.hub.tekton.dev/v1/resource/tekton/task/kaniko/0.6/raw

I run the pipeline in my local Docker Desktop Kubernets environment with a local Gitea repo.

Before showing the pipeline(run): I tried all kinds of solutions, like using the Docker hub password (iso token), use a Secret with the Docker credentials, etc. Nothing helps, yet.

Finally I created and ran a pipeline(run):

apiVersion: tekton.dev/v1beta1
kind: Pipeline
metadata:
  name: buildpacks-kaniko-pipeline
spec:
  params:
    - name: SOURCE_URL
      type: string
      description: A git repo url where the source code resides.
    - name: SOURCE_REVISION
      description: The branch, tag or SHA to checkout.
      default: ""
  workspaces:
    - name: source-workspace
    - name: dockerconfiginput
  tasks:
    - name: fetch-repository
      taskRef:
        name: git-clone
      workspaces:
        - name: output
          workspace: source-workspace
      params:
        - name: url
          value: "$(params.SOURCE_URL)"
        - name: revision
          value: "$(params.SOURCE_REVISION)"
        - name: subdirectory
          value: ""
        - name: deleteExisting
          value: "true"
    - name: build-kaniko
      taskRef:
        name: kaniko
      runAfter:
        - fetch-repository
      params:
        - name: IMAGE
          value: docker.io/solvedshared/kanikodemo
        - name: DOCKERFILE
          value: ./Dockerfile
        - name: CONTEXT
          value: ./
      workspaces:
        - name: source
          workspace: source-workspace
        - name: dockerconfig
          workspace: dockerconfiginput
---
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
  name: buildpacks-kaniko-pipeline-run
spec:
  pipelineRef:
    name: buildpacks-kaniko-pipeline
  workspaces:
    - name: source-workspace
      persistentVolumeClaim:
        claimName: source-kaniko-pvc
    - name: dockerconfiginput
      secret:
        secretName: docker-credential
  serviceAccountName: build-bot
  params:
    - name: SOURCE_URL
      value: http://gitea-gitea-http.default.svc.cluster.local:3000/gituser/kaniko-demo.git
    - name: SOURCE_REVISION
      value: master

I also tried to use another BUILD_IMAGE:

    - name: BUILDER_IMAGE
      value: bitnami/kaniko:1.19.2

This time I go this error message:

error checking push permissions -- make sure you entered the correct
tag name, and that you are authenticated correctly, and try again:
checking push permission for "docker.io/xyz/myimage": POST
https://index.docker.io/v2/xyz/myimage/blobs/uploads/:
UNAUTHORIZED: authentication required; [map[Action:pull Class:
Name:xyz/myimage Type:repository] map[Action:push Class:
Name:xyz/myimage Type:repository]]

First approach:

Generate the secrets file like this:

$ kubectl create secret docker-registry docker-credential
--docker-username=xyz --docker-password=xyzpassword --docker-email=xyz@mail.com --namespace=default

Write the secret to a new yaml:

$ kubectl get secret docker-credential -o yaml > key-alt.yaml

Edit the file so it looks like (I could have left the docker-registry out):

apiVersion: v1
data:
  config.json: ewoJImF1***SIKCQl9Cgl9Cn0=
kind: Secret
metadata:
  name: docker-credential-3
  namespace: default

Create the secret:

$ kubectl apply -f key-alt.yaml

The 'red herring' was that you normally generate a docker secret using the type 'docker-registry'. It will create the secret with the key '.dockerconfig'. The Tekton task uses a different route: it requires the 'config.json' as the key of the Secret resource.

Second approach:

The second approach retrieves the config.json by specifying the key '.dockerconfig'.